Analysis Overview
SHA256
ca4ac1db528fea101b2ae61719719bf806aca32ae06bd47082492735c3f76651
Threat Level: Likely malicious
The file f089e121bd206ec93e6583651d2e559c_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 07:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 07:03
Reported
2024-04-15 07:06
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\issearch.exe = "issearch.exe" | C:\Windows\SysWOW64\issearch.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\issearch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\issearch.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4d74aaa-a178-4463-846b-b4bc87a024e0} | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\ | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\issearch.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\issearch.exe | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ixt0.dll | C:\Windows\SysWOW64\issearch.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Search | C:\Windows\SysWOW64\issearch.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0} | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\ | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32 | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32\ = "C:\\Windows\\SysWow64\\ixt0.dll" | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\issearch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe"
C:\Windows\SysWOW64\issearch.exe
C:\Windows\system32\issearch.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F089E1~1.EXE > nul
Network
Files
\Windows\SysWOW64\issearch.exe
| MD5 | d836def18dceef3f90a3d2b799c67928 |
| SHA1 | 955ddbced9ac5044d5e7176ad9e3822dbfdae45e |
| SHA256 | d34effe2f829136a42d3b41dc6755d203f8666d28a180413abea2d35688b2287 |
| SHA512 | 2a2034e194b69036c08d68dbfe90cf23f2a3473c267fc37857fa6deeb875bc004dfa1258172e6eef9d81d6d045afa52d22a4fd34c5410db8a9a5eb5ffd220511 |
\Windows\SysWOW64\ixt0.dll
| MD5 | d13c32c6526290e9ab18527e4ca385db |
| SHA1 | dded4844285c8291ce9bd130ec8c1ef897641072 |
| SHA256 | d954f8c4ea7cb2e9c58408bfd1316516187f77908e2369e70c2888f1517f4e64 |
| SHA512 | 64fb0c14bcf3fdf7a4a7433049fa3cdbdb43e7fe6f000f6d26ab1058596ff580897dee58f7478c4c435664a76aa685d484d9dd0d47dc9ac9f66f1b249d47c9a7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 07:03
Reported
2024-04-15 07:06
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\issearch.exe = "issearch.exe" | C:\Windows\SysWOW64\issearch.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\issearch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\issearch.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4d74aaa-a178-4463-846b-b4bc87a024e0} | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\ | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\issearch.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\issearch.exe | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ixt0.dll | C:\Windows\SysWOW64\issearch.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Search | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\issearch.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32\ = "C:\\Windows\\SysWow64\\ixt0.dll" | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0} | C:\Windows\SysWOW64\issearch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\ | C:\Windows\SysWOW64\issearch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}\InprocServer32 | C:\Windows\SysWOW64\issearch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\issearch.exe |
| PID 1160 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\issearch.exe |
| PID 1160 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\issearch.exe |
| PID 1160 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1160 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1160 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f089e121bd206ec93e6583651d2e559c_JaffaCakes118.exe"
C:\Windows\SysWOW64\issearch.exe
C:\Windows\system32\issearch.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F089E1~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\issearch.exe
| MD5 | d836def18dceef3f90a3d2b799c67928 |
| SHA1 | 955ddbced9ac5044d5e7176ad9e3822dbfdae45e |
| SHA256 | d34effe2f829136a42d3b41dc6755d203f8666d28a180413abea2d35688b2287 |
| SHA512 | 2a2034e194b69036c08d68dbfe90cf23f2a3473c267fc37857fa6deeb875bc004dfa1258172e6eef9d81d6d045afa52d22a4fd34c5410db8a9a5eb5ffd220511 |
C:\Windows\SysWOW64\ixt0.dll
| MD5 | d13c32c6526290e9ab18527e4ca385db |
| SHA1 | dded4844285c8291ce9bd130ec8c1ef897641072 |
| SHA256 | d954f8c4ea7cb2e9c58408bfd1316516187f77908e2369e70c2888f1517f4e64 |
| SHA512 | 64fb0c14bcf3fdf7a4a7433049fa3cdbdb43e7fe6f000f6d26ab1058596ff580897dee58f7478c4c435664a76aa685d484d9dd0d47dc9ac9f66f1b249d47c9a7 |